Merge branch '2.20' into 2.21

Author: cowtowncoder

release-notes/VERSION-2.x

@@ -121,6 +121,12 @@ No changes since 2.19.1
  (requested by Ilenia S)
  (fixed by @pjfanning)
 
+2.18.7 (not yet released)
+
+#1570: Fail parsing from `DataInput` if
+  `StreamReadConstraints.getMaxDocumentLength()` set [GHSA-2m67-wjpj-xhg9]
+ (fix by @cowtowncoder, w/ Claude code)
+
 2.18.6 (22-Feb-2026)
 
 #1512: Number-parsing fix for `UTF8DataInputJsonParser`

src/main/java/com/fasterxml/jackson/core/JsonFactory.java

@@ -11,6 +11,7 @@
 import java.util.List;
 import java.util.Objects;
 
+import com.fasterxml.jackson.core.exc.StreamConstraintsException;
 import com.fasterxml.jackson.core.format.InputAccessor;
 import com.fasterxml.jackson.core.format.MatchStrength;
 import com.fasterxml.jackson.core.io.*;
@@ -1996,6 +1997,13 @@ protected JsonParser _createParser(DataInput input, IOContext ctxt) throws IOExc
         // 13-May-2016, tatu: Need to take care not to accidentally create JSON parser for
         //   non-JSON input.
         _requireJSONFactory("InputData source not (yet?) supported for this format (%s)");
+        // [core#1570] DataInput reads byte-by-byte so we cannot efficiently enforce
+        //   maxDocumentLength. Fail fast if the limit has been configured.
+        if (_streamReadConstraints.hasMaxDocumentLength()) {
+            throw new StreamConstraintsException(
+                    "Can not enforce `StreamReadConstraints.getMaxDocumentLength()` limit with `DataInput`-backed parser: "
+                    +"use other input source types, or remove the max-document-length limit");
+        }
         // Also: while we can't do full bootstrapping (due to read-ahead limitations), should
         // at least handle possible UTF-8 BOM
         int firstByte = ByteSourceJsonBootstrapper.skipUTF8BOM(input);

src/test/java/com/fasterxml/jackson/core/constraints/LargeDocReadTest.java

@@ -8,6 +8,7 @@
 import com.fasterxml.jackson.core.async.AsyncTestBase;
 import com.fasterxml.jackson.core.exc.StreamConstraintsException;
 import com.fasterxml.jackson.core.testsupport.AsyncReaderWrapper;
+import com.fasterxml.jackson.core.testsupport.MockDataInput;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.fail;
@@ -102,6 +103,29 @@ void largeNameWithSmallLimitAsync() throws Exception
         }
     }
 
+    // [core#1570] Should fail fast when DataInput used with maxDocumentLength set
+    @Test
+    void dataInputWithDocLengthLimitFails() throws Exception
+    {
+        final String doc = generateJSON(100);
+        try (JsonParser p = JSON_F_DOC_10K.createParser(new MockDataInput(doc))) {
+            fail("expected StreamConstraintsException");
+        } catch (StreamConstraintsException e) {
+            verifyException(e, "DataInput");
+            verifyException(e, "maxDocumentLength");
+        }
+    }
+
+    // [core#1570] DataInput without maxDocumentLength should still work
+    @Test
+    void dataInputWithoutDocLengthLimitWorks() throws Exception
+    {
+        final String doc = generateJSON(100);
+        try (JsonParser p = JSON_F_DEFAULT.createParser(new MockDataInput(doc))) {
+            consumeTokens(p);
+        }
+    }
+
     @Test
     void tokenLimitBytes() throws Exception {
         final String doc = generateJSON(StreamReadConstraints.defaults().getMaxNameLength() - 100);